LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-09-2012, 10:29 AM   #1
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Cent 5.8 Firewall allowing 224.0.0.251 on port 5353


Just wondering if anyone here knows why a default install of CentOS has this line:
Code:
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
In /etc/sysconfig/iptables

I'm not sure why it opens this up, and Google reveals little other than it is 'multicast DNS' (plus a ton of conspiracy theories).

I'm guessing it's safe to comment this out?

Just expanding on that, I'm not sure default rules like this:

Quote:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Are ideal either especially when it has no web server installed, has a live sendmail installed by default (not tested for open relay yet), has no printer, let alone the need to offer CUPS to other clients, and as for 60 and 51 - I'm at a loss to understand the need to open those by default.

Last edited by leslie_jones; 04-09-2012 at 10:35 AM.
 
Old 04-09-2012, 11:51 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,497
Blog Entries: 15

Rep: Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463
22 is the default port for ssh (sshd) which is also used by scp/sftp. If you want access to the system via ssh (e.g. from another server or using something like PuTTY on Windows) scp or sftp you either need to have this open or change the port used sshd to something else and open that port (then close 22).

25 is for telnet and shouldn't be open by default in my opinion.

However, it doesn't matter if a port is "open" unless you're LISTENing on that port. Therefore the first thing you ought to check is whether the port is in fact LISTENing.

Doing "lsof -i :5353" shows me that it is avahi-daemon that is LISTENing on that port on my CentOS box. You'd want to understand what this daemon does before you decided to block it.

Doing lsof -i :<port> for the other ports you questioned should tell you what if anything is happening on those ports. Rather than simply blocking the ports by disabling in iptables you might want to disable whatever is LISTENing (e.g. cupsd for cups, xinetd service for telnetd maybe - see /etc/xinetd.d files). Disabling the ports in iptables if not necessary is a good idea but if nothing is LISTENing it doesn't matter if you haven't blocked them as no connection can be made to a port that isn't LISTENing from outside to inside your system.
 
Old 04-09-2012, 11:54 AM   #3
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Quote:
25 is for telnet and shouldn't be open by default in my opinion.
port 25 is SMTP
port 23 is telnet

Kind regards
 
Old 04-09-2012, 12:16 PM   #4
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi,

since you're asking about port 5353 you may find answers here or here.

Good luck
 
Old 04-10-2012, 03:38 AM   #5
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Original Poster
Rep: Reputation: Disabled
I'd already looked through those links, and they are most MacEsque in tone.

It basically, for a desktop machine with no services running on it, looks like a bum set of rules to have with a default install, but I guess that comes down to Cent from the upstream.

I'll just kill them, no problem, but I wondered why they were there by default, particularly 5353.
 
Old 04-10-2012, 07:37 AM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,497
Blog Entries: 15

Rep: Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463
Quote:
Originally Posted by repo View Post
port 25 is SMTP
port 23 is telnet

Kind regards
D'oh - You're right.
 
Old 04-10-2012, 07:38 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,497
Blog Entries: 15

Rep: Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463
Quote:
Originally Posted by leslie_jones View Post
I'd already looked through those links, and they are most MacEsque in tone.

It basically, for a desktop machine with no services running on it, looks like a bum set of rules to have with a default install, but I guess that comes down to Cent from the upstream.

I'll just kill them, no problem, but I wondered why they were there by default, particularly 5353.
Did you read my post? I told you it is for avahi-daemon.
 
1 members found this post helpful.
Old 04-10-2012, 11:04 AM   #8
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
Did you read my post? I told you it is for avahi-daemon.
I'll be totally honest, when I read the line:

Code:
25 is for telnet and shouldn't be open by default in my opinion.
I skipped on because I knew it was not accurate. It was not a deliberate act or disrespect - it's just a subliminal thing, which is why I'm putting my hands up and saying 'no, I didn't read all of it' and trying to say why without being rude or smug, just honest.

avahi-daemon
Quote:
"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared."
Yuk - that's sounds a bit uPNP-ish-esque to me and something I'd definitely NOT want alive and kicking by default, or open. I can't think of any reasons why I would ever want to use this?

Thank you for solving the mystery and my apologies for not reading your post properly - I have told myself off and I am honestly grateful for the answer.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
icmp: 224.0.0.5 protocol 89 port 44 unreachable (gre encap) - Error over IPSEC/GRE kayasaman *BSD 5 03-03-2012 01:23 PM
listen to 80 port in cent 5.6 final, kernel 2.6.18 salytwo Linux - Newbie 14 01-18-2012 07:52 AM
UDP port 5353 WannaLearnLinux Linux - Security 17 05-05-2011 01:26 PM
allowing hamachi through firewall Jungle_King Linux - Networking 4 05-10-2009 03:18 PM
firewall not allowing dhcp? sarah_t_s Linux - Networking 2 07-25-2004 08:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration